lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 20 Jan 2017 00:04:12 +0100
From:   Adam Borowski <kilobyte@...band.pl>
To:     Greg KH <gregkh@...uxfoundation.org>,
        Matthias Klose <doko@...ian.org>, 845177@...s.debian.org
Cc:     Manuel Schölling <manuel.schoelling@....de>,
        jslaby@...e.com, lkml14@...tdoyle.com, rdunlap@...radead.org,
        shorne@...il.com, andrey_utkin@...tmail.com,
        akpm@...ux-foundation.org, paul.burton@...tec.com,
        daniel.vetter@...ll.ch, tj@...nel.org, hdegoede@...hat.com,
        linux-kernel@...r.kernel.org, linux-fbdev@...r.kernel.org
Subject: Re: [PATCH v10 3/4] console: Add persistent scrollback buffers for
 all VGA consoles

On Thu, Jan 19, 2017 at 05:33:14PM +0100, Greg KH wrote:
> On Thu, Jan 19, 2017 at 05:12:15PM +0100, Manuel Schölling wrote:
> > On Thu, 2017-01-19 at 14:23 +0100, Greg KH wrote:
> > > On Fri, Jan 13, 2017 at 09:07:57PM +0100, Manuel Schölling wrote:
> > > > +	  This feature might break your tool of choice to flush
> > > > the scrollback
> > > > +	  buffer, e.g. clear(1) will work fine but Debian's
> > > > clear_console(1)
> > > > +	  will be broken, which might cause security issues.
> > > > +	  You can use the escape sequence \e[3J instead if this
> > > > feature is
> > > > +	  activated.
> > > 
> > > This issue is the one that makes me the most worried.  Why doesn't
> > > clear_console() work anymore?  Why doesn't it use \e[3J ?
> > 
> > Well, clear_console() just switches from one console to another and
> > back again. It just assumes that the scrollback buffer is flushed when
> > switching.
> > My plan is to make a patch for clear_console() as soon as these patches
> > are in the kernel - it's chicken-and-egg problem.
> 
> I'd recommend that patch get to clear_console() first, having it use the
> new escape sequence, if it isn't supported, shouldn't cause any
> problems, right?

In that case, we need to hurry -- the last day for any non-serious fixes in
Debian is Jan 26, after that it'll be frozen for months, and any subsequent
changes won't get to stable users for around two years.

doko: would you consider, pretty please with a cherry on top, applying the
patch I've sent to this bug?  The privacy/security issue is pretty minor and
applies only to a tiny fraction of users, but I understand why Greg is
reluctant.

Manuel's scrollback changes won't go to 4.9, and won't be enabled by default
for the time being, but using a newer kernel on old userspace is something
really widespread, be it via bpo, containers on an updated host, etc.


Meow!
-- 
Autotools hint: to do a zx-spectrum build on a pdp11 host, type:
  ./configure --host=zx-spectrum --build=pdp11

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ